Data Breach Response: Top Tips for Businesses


Ilia Sotnikov, VP of Product Management at Netwrix

Since the coronavirus pandemic forced organisations to implement remote working models and to rely on digital tools and processes more than ever before, the amount of data breaches has begun to rise at an unprecedented rate. Giants like Twitter, EasyJet, and Zoom are just a few of the major cases that have made headlines over the past months. Unfortunately, the phrase ‘a data breach is just a matter of time’ has now become more relevant than ever for any company, regardless of its size or vertical — if anything, a data breach may come even sooner than previously expected due to the technological responses to the pandemic. Against this backdrop, it is obvious that every organisation must be ready to respond to a breach and effectively mitigate its impact.

Start with cybersecurity fundamentals

Unfortunately, if an organisation does not follow basic cyber security practices, it is unlikely to handle a data breach effectively. In fact, if an organisation does not know what types of sensitive data it holds, where that data resides or if it has been exposed as a result of excessive permissions, it will not be able to quickly assess the scope of the incident and block access. Therefore, following basic cyber security practices is the cornerstone of an efficient incident response. These practices include ensuring that sensitive data resides in secured locations, eliminating data overexposure and revoking unnecessary access rights. With appropriate levels of visibility, an organisation’s IT team can get to the bottom of a breach quickly, analyse the context around it and undertake adequate measures to remediate it. If you know exactly what data you have, where it resides and how employees interact with it, you can focus your security efforts on a specific system, user or type of data, which will make your incident response more effective.

Improve detection capabilities

According to a recent report by Microsoft, threat actors have rapidly increased in sophistication over the past year, using techniques that make them harder to detect. This is a worrying revelation, as the longer data breaches remain undetected, the worse the consequences are for an organisation. Therefore, ensuring that that an organisation is able to detect an intrusion in a timely manner is an essential aspect of an incident response strategy. The detection of security incidents must be automated — this will enable an organisation to determine the best response more quickly and minimise potential damage. If an organisation’s IT team has an automated solution to monitor user activities or receive regular alerts on abnormal user behaviour, they will have a better chance of detecting a data breach before the data is compromised. The Netwrix 2020 Data Risk and Security Report proves this point: according to the study, organisations with automated methods of monitoring data sharing were able to detect security incidents in minutes (48% of organisations studied), while those who didn’t have automated processes spent days (56% of organisations) or even weeks (22% of organisations).

Make sure your Incident Response Program is actionable

You probably have some of your incident response program (IRP) documented and stored on your organisation’s intranet. Such documentation usually contains policy, standards and procedures. However, it is critically important to standardise the different aspects of this program so that it can be well executed. This includes clearly defining all organisational roles in the program so that everyone is familiar with their respective duties and responsibilities. It is also important to ensure that all employees have been trained on what to do in case they notice a security incident. As an additional benefit, this will help your organisation minimise the risk of a data breach as a result of human errors, as employees will better understand the damage that a single mistake can cause. It is also important to ensure employees know how to report a security incident and who is responsible for taking further action in responding to a breach. Last but not least, any IRP should be thoroughly tested. This will help your organisation identify and address any technical or communication gaps in the program so that when an incident happens, the response will occur smoothly.

Recover and learn from mistakes

If any data was lost or altered as a result of the breach, it is essential to prioritise recovery of the key data. Furthermore, it is also essential to focus on organisational recovery to restore operations back to normal. After this is complete, the final step is to incorporate lessons learnt from the data breach into an organisation’s security strategy. This includes identifying and closing the security gaps that allowed the breach to occur, thereby eliminating the risk that attackers will break in the same way once again.

Data breaches are inevitable, especially as the ‘cyber-pandemic’ continues. This reality requires organisations to remain in a constant response mode. However, if organisations mind these tips and arm themselves with easy-to-use detection tools, their losses from data breaches will be minimised.